It is important to understand the security mechanisms used to protect the server resources using the CBIND, SERVER, and STARTED classes in RACF® (or your security product). This paper describes these mechanisms along with some techniques for managing the security environment.
The next part of the article describes adding the required RACF profiles and permissions for another server in your cell.
The last part of the article shows how you can define the minimal set of users, groups, and profiles for a testing environment (where security of individual servers is not the main focus or concern).
RACF Profiles (CBIND, SERVER, and STARTED): Basic information about the RACF profiles used by WebSphere can be found in the System Authorization Facility classes and profiles. This section adds some additional details about the CBIND, SERVER, and STARTED class profiles.
CR = Controller Region SR = Servant Region CFG = Configuration (group) server = server short name cluster = generic server (short) name (also called cluster transition name)
<CR_userid> <CR_groupid>, <CFG_groupid> <SR_userid> <SR_groupid>, <CFG_groupid> <demn_userid> <demn_groupid>, <CFG_groupid> <admin_userid> <CFG_groupid> <client_userid> <client_groupid> <ctracewtr_userid> <ctracewtr_groupid>
Below are the various profiles used to protect the WebSphere servers and resources, along with the permissions and access levels.
CBIND Class profiles - access to generic servers CB.BIND.<cluster> UACC(READ); PERMIT <CR_group> ACC(CONTROL) CBIND Class profiles - access to objects in servers CB.<cluster> UACC(READ) PERMIT <CR_group> ACC(CONTROL)
SERVER Class Profiles: There are currently two formats of the SERVER class profiles for protecting access to the server controller regions. You must define a single format SERVER profile, depending upon whether or not Dynamic Application Environment (DAE) support is enabled. This is done using the WLM DAE APAR OW54622, which is applicable to z/OS V1R2 or higher.
STARTED Class profiles - (MGCRE) <<CR_proc>.<CR_jobname> STDATA(USER(CR_userid) GROUP(CFG_groupid)) <demn_proc>.* STDATA(USER(demn_userid) GROUP(CFG_groupid)) STARTED Class profiles - (ASCRE) <SR_jobname>.<SR_jobname> STDATA(USER(SR_userid) GROUP(CFG_groupid)) STARTED Class profiles for IJP - (MGCRE) <MQ_ssname>.* STDATA(USER(IJP_userid) GROUP(CFG_groupid))
Generating new user IDs and Profiles for a new Server: If you want to use unique user IDs for each new application server, you must define these users, groups, and profiles in the RACF database.
<New_CR_userid> <CR_groupid>, <CFG_groupid> <New_SR_userid> <SR_groupid>, <CFG_groupid> <New_client_userid> <client_groupid>
CB.BIND.<New_cluster> CB.<New_cluster>
CB.<New_server>.<New_cluster> CB.<New_server>.<New_cluster>.<cell>
<CR_proc>.<New_CR_jobname> STDATA(USER(New_CR_userid) GROUP(CFG_groupid)) <New_SR_jobname>.* STDATA(USER(New_SR_userid) GROUP(CFG_groupid))
/* CBIND Class profiles (UACC) - access to generic servers */ CB.BIND.T5CL* UACC(READ); PERMIT ID(T5GRP) ACC(CONTROL) /* CBIND Class profiles (UACC) - access to objects in servers */ CB.T5CL* UACC(READ); PERMIT ID(T5GRP) ACC(CONTROL) /* SERVER Class profiles - access to controllers (old style) */ CB.*.T5CL* UACC(NONE); PERMIT ID(T5USR) ACC(READ) /* SERVER Class profiles - acc to controllers (new style) */ CB.*.*.T5CELL UACC(NONE); PERMIT ID(T5USR) ACC(READ) /* STARTED Class profiles - (MGCRE) - for STCs, except servants */ T5ACR.* STDATA(USER(T5USR) GROUP(T5GRP)) /* controller*/ T5DMN.* STDATA(USER(T5USR) GROUP(T5GRP)) /* daemon */ T5CTRW.* STDATA(USER(T5USR) GROUP(T5GRP)) /* CTrace WTR*/ WMQX*.* STDATA(USER(T5USR) GROUP(T5GRP)) /* IJP */ /* STARTED Class profiles - (ASCRE - for servants) */ T5SRV*.* STDATA(USER(T5USR) GROUP(T5GRP)) /* servant */